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Buying more bandwidth can be an expensive business if you want to 
avoid bottlenecks. Karl Cushing explains how The Royal Borough of 
Kensington and Chelsea rolled out an ISP service to solve the problem 

Avoiding bottlenecks is a headache for any organisation considering 
becoming an Internet service provider (ISP). A simple solution is to 
buy 

more bandwidth, but this is an expensive business and it will not 
necessarily solve the problem of Internet traffic clogging up the 
system in 

the long run. So, when money is tight and a bottleneck is imminent, 
what do 
you do? 

The Royal Borough of Kensington and Chelsea faced this problem 

when 

Internet usage on its network climbed. It decided to roll out an ISP 
service to the 36 schools in the area. The borough's existing network 
offered just 2mbps of bandwidth. As Russell Hookway, the borough's 
network 

and telecommunications manager, explains , "Bandwidth is expensive and 
this 

was a good place to start." 

But, although this was sufficient for servicing its corporate 
concerns, the network's capacity began to look increasingly 
insufficient . 

It was unclear whether the existing network could cope with the 
increase in traffic. But there was no money for providing new 
bandwidth . 

"To keep throwing band-width at the problem is not the 
solution, " 
says Hookway. 

Instead Kensington and Chelsea invested in traffic management 
technology. And following a successful trial three years ago, the 
borough 

decided to use Packet-shaper from application performance 
infrastructure 

firm Packeteer. He says that this option has allowed the borough to 
maximise the available bandwidth . 



"People don't realise that you can manage traffic to this 

level, " 
Hookway says. 

The borough bought seven Packet shapers . Put simply, they sit on 

the 

network and monitor the traffic, allowing prioritising of important 
items . 

As well as providing information on the amount and types of 

traffic 

using the network, Packetshaper provides the borough with a graphical 
interface, showing graphs detailing hourly trends . Using this 
information, 

Kensington and Chelsea can partition ports, limit the amount of 
bandwidth 

available to certain ports and guarantee important traffic takes 
precedence . 

Hookway says that without it, the borough could not have become 

an 

ISP for its local schools — a role it has been carrying out for the 
past 

two years. "We encourage them to use us as an ISP," he says. "Then we 
can 

also provide them with intranet and email services." Hookway points out 
that although schools are charged for the ISP service, it does not make 
a 

profit . 

Initially, the schools were using 128Kbyte integrated services 
digital network links, which resulted in "an obvious bottleneck". But 
they 

have since invested in local proxy servers to speed up their Internet 
connections. Hookway says that half the schools now have 2mbps 
connections 

and the others are raising the money to follow suit. 

Four schools from the Royal Borough of Kensington and Chelsea 

are 

also part of a local City Learning Centre initiative, which aims to 
promote 

IT in the area's schools. 

"It's getting bigger and bigger and Internet usage is increasing 

all 

the time, " says Hookway. 

The need for bandwidth management can be seen in the simple 
statistic that, even using Packetshaper, the pipe is being utilised to 
80% 

capacity for most of the day. 

Up until now, the borough has managed with its 2mbps link. But 
because it is to introduce free broadband Internet access in its five 
libraries in the autumn, it has chosen to invest in a lOmbps link, 
using 

corporate funding. The link will go live in September. 

Hookway believes that the use of Internet in schools "is still 

in 

its infancy at the moment " and "usage is just going to go up and up" so 
capacity will need to be increased. 

He points out that schools are bound to start making further use 

of 

facilities such as videoconferencing and video/audio 



streaming. 

"To deliver those services you ' ve got to manage the link, " 

Hookway 
says . 

The borough also redeveloped its Web site at the beginning of 

the 

year and it is being continually redeveloped in line with government 
initiatives — such as providing the ability to pay parking tickets 
online 

— which will also have an impact on the amount of traffic the borough 
will 

have to deal with. 

Another benefit of traffic management technology is that it 
increases visibility across the network. For example, the borough can 
see 

the top 10 Internet sites being used at any time . It can use 
this information to deny access to any sites that it 

deems unsuitable or that use too much bandwidth. The borough also uses 
Web-filtering software on a school-by-school basis. 

Hookway says there were no teething problems in setting up the 
system. "It just sits on the network and listens to traffic," he 
explains . 

"It's very much a 'plug and play' application, which learns as it 
goes . " 

Having set up the system, it was a case of tailoring it to the 

needs 

of the network. According to Hookway, there are no training 
considerations 

— all that is required is a basic understanding of Internet traffic 
management . 

The hardware was a one-off cost of just over (pound) 70, 000 . And 
Packeteer charges a further 5% per year for maintenance of the system. 

"It has paid for itself over and over," says Hookway. "It is one 

of 

those devices that delivers exactly what it says it will deliver." 
What is traffic management technology? 

Traffic and bandwidth management systems can help to deliver 
predictable and efficient performance for applications running over 
both 

wide area networks and the Internet. 

By providing a breakdown of the different traffic using the 
network, 

firms can ensure that important traffic gets priority and capacity is 
available for bandwidth-hungry services such as audio and video 
streaming. Less important traffic such as private e-mails use 
the surplus bandwidth when it becomes available. 

For Internet service providers, managing bandwidth more 
effectively 

means that more customised bandwidth services can be delivered to 
end-users . 

Traffic management technology helps organisations to squeeze the 
maximum benefit from the available bandwidth on their existing 
networks. It 

is a much cheaper alternative to purchasing more bandwidth and should 
lead 

to a more consistent throughput. 

How traffic began to flow 



* There is one Packetshaper on either side of the firewall 

* One is used for primary and nursery schools 

* A separate one is used for secondary schools 

* One sits on the wide area network, monitoring applications 

used by 

80 remote sites 

* One is used to squeeze the best throughput from the borough's 
virtual private network links 

* And another is used in the " DMZ " where the Internet site is 
published . 

The project in a nutshell 
THE PROBLEM 

The Royal Borough of Kensington and Chelsea was faced with a 
bottleneck problem on its Internet network and could not afford to 
invest 

in new bandwidth 
SOLUTION 

It invested in a cost-effective traffic management system, which 
allowed it to maximise the use of its ban bandwidth and prioritise 
important traffic. 
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The Microsoft Proxy Server is reviewed. It is an easy-to-use Windows 



NT-specific firewall system, supports standard protocols and proxy 
techniques and provides excellent systems integration and reporting 
facilities. It will appeal to intranet managers who are committed to a 
Microsoft-supplied infrastructure and to those who are merely looking 
for 

an effective and simple solution. Proxy servers can minimize bandwidth 
consumption and improve performance through the use of caching 
technology. 

Microsoft Proxy Server only caches Web data. The most important 
aspects of 

the Proxy Server are its abilities to control who is allowed to do 
what, 

when and to where and its ability to monitor activity. Proxy Sever 
supports 3 methods of user authentication: anonymous access, which 
allows 

any client to access the proxy service; basic authentication, the 
standard 

challenge/response mechanism implemented by Web servers; and NT 
Challenge/Response, a proprietary mechanism that is at the heart of 
Microsoft's Windows NT security scheme. 
99 

Text: 

Connecting your intranet to the Internet without an effective firewall 
is 

unthinkable - you absolutely have to control which packets from what 
addresses carrying which protocols go where. In the absence of such 
controls, the value derived from intranet service can be outweighed by 
the 

dollar losses incurred from misuse and hacking. 

Given that this critical need can be expressed in terms of dollars 
saved or 

at risk, it is not surprising that many highly competitive players are 
attracted to the firewall market. And it's no wonder Microsoft Corp. 
has 

joined the fray. 

The Microsoft Proxy Server, an easy-to-use Windows NT-specific firewall 
system, supports standard protocols and proxy techniques and provides 
excellent systems integration and reporting facilities. Competitively 
priced at $995, it will appeal to intranet managers who are committed 
to a 

Microsoft-supplied infrastructure and to those who are merely looking 
for 

an effective and simple solution. 
Taking requests 

Proxy Server comprises Web and WinSock components. The CERN-compliant 
Web 

Proxy Server can handle the File Transfer Protocol (FTP) , HTTP and 
Gopher 

protocols. It also supports tunneling of Secure Sockets Layer (SSL) 
requests so you can provide access to Web servers via secure 
connections . 

Any application on any operating system that can be configured for a 



CERN-compliant proxy will work with the Microsoft Proxy Server. 

The WinSock Proxy Server handles other TCP/IP protocols , including 
Internet 

Relay Chat for real-time chat, the Network News Transport Protocol for 
newsgroups, Post Office Protocol 3 and Simple Mail Transfer Protocol 
for 

e-mail, RealAudio for streaming audio and VDOLive for 
streaming video. At present, this proxy server supports Windows 
clients using WinSock Version 1.1. Microsoft expects to support Win 
Sock 

2.0 in the next version, but it has not committed to a release date. 

The WinSock Proxy Server requires installation of client soft Tare that 
has 

a Dynamic Link Library supplementing the WINSOCK-DLL. This additional 
DLL 

intercepts Windows socket calls, examines them and, if the destination 
is 

local, hands them over to the original WinSock DLL. If the destination 
is 

not local, the DLL routes the call to the WinSock Proxy Server. 

Of value for NetWare sites, Microsoft uses IPX, not TCP/IP, as the 
transport for WinSock Proxy Server access. Microsoft Proxy Server 
performs 

all the conversions to and from IPX and TCP/IP and, in effect, treats 
all 

requests as if for remote locations. 
Microsoft 1 caches 1 on 

Proxy servers can minimize bandwidth consumption and improve 
performance 

through the use of caching technology. With caching, the server keeps a 
copy of data it retrieves, so when the client requests that data again, 
the 

proxy server can return it from the cache rather than getting another 
copy 

from the target server. 

Microsoft Proxy Server only caches Web data. Microsoft has not 
announced 

plans for expanding caching to FTP or Gopher data. 

For Proxy Server's cache, Microsoft recommends a minimum allocation of 
at 

least 100M bytes, plus 0 . 5M bytes for each Web proxy service client, 
rounded up to the nearest full megabyte. Providing proxy service to 50 
Web 

clients, for example, calls for at least a 125Mbyte cache. 

Intranet managers can control the way Proxy Server performs the caching 
by 

setting the amount of time that cached data is retained before it 
expires 

and needs refreshing. The data retention period is called Time-to-Live 



(TTL) . 



They also can control to what degree active caching is used. Active 
caching 

is a sophisticated mechanism that refreshes data in the cache without 
client requests forcing the update. The server automatically refreshes 
the 

cache based on how often the data is requested. 

While intranet managers can adjust the TTL and active caching 
mechanisms , 

automatic analysis of cache activity determines the final caching 
behavior . 

Control and logging 

The most important aspects of the Proxy Server are its abilities to 
control 

who is allowed to do what, when and to where and its ability to monitor 
activity. 

When configuring the two distinct Proxy Server components, you can 
control 

which users and groups, as defined in the Windows NT User Manager for 
Domains, are allowed to access the Web and WinSock proxy servers. 

Proxy Server supports three methods of user authentication: anonymous 
access, which allows any client to access the proxy service; basic 
authentication, the standard challenge/response mechanism implemented 
by 

Web servers; and NT Challenge/Response, a proprietary mechanism that is 
at 

the heart of Microsoft's Windows NT security scheme. 

Basic authentication works adequately, but a hacker with a network 
protocol 

analyzer can easily hack it. However, combining basic authentication 
and 

SSL provides a robust security architecture. 

The NT Challenge/Response also is robust, but applies to Microsoft 
products 

only. This means the only browser that can use it is Microsoft's 
Internet Explorer. 

Intranet managers also have the option of filtering requests to either 
specifically allow or deny access to servers by 
domain or IP network or node address . 

What's more, extensive logging is available with the Web and WinSock 
components. The Proxy Server can log access data to flat files or SQL 
databases. And for the flat-file logging, you can automatically create 
files for each day, week, month or when the log file reaches a certain 
size. 



Up and running 



Microsoft Proxy Server is actually an Internet Information Server (IIS) 
service. So to operate it, you have to install the IIS Web server 
first . 

(Table Omitted) 

Captioned as: PRODUCT CAPSULE 
(Table Omitted) 
Captioned as: PROS AND CONS 

Proxy Server installation is easy; it takes only about 10 minutes. The 
installation guide is an excellent HTML document set. 

I didn't find any problems while installing or operating the product. 
The 

interaction of Proxy Server with Remote Access Server connections was 
flawless (though for dial-up connections the setup time usually causes 
the 

browser to time out before the connection completes) , and the 
translation 

to and from IPX is transparent. 

Unlike some other proxy service products I've tried, the performance 
penalty involved with Proxy Server appears negligible. 

Intranet value 

The Microsoft Proxy Server is a welldesigned product that is perfect 
for 

intranet use. The server combines a broad range of protocol support 
with 

sophisticated caching and integration with the IIS service manager and 
performance monitor. 

In addition, third-party vendors can add functionality to Proxy Server. 
For 

instance, Trend Communications has produced an add-on that performs 
virus 

detection and removal. 

In short, Microsoft Proxy Server makes controlling the which/what/ 
where of 

intranet connectivity much easier. 
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